}\r
\r
void query(\r
- ResolutionContext& ctx, const NameIdentifier& nameid, const vector<const char*>* attributes=NULL\r
+ ResolutionContext& ctx, const NameIdentifier& nameid, const set<string>* attributes=NULL\r
) const;\r
void query(\r
- ResolutionContext& ctx, const NameID& nameid, const vector<const char*>* attributes=NULL\r
+ ResolutionContext& ctx, const NameID& nameid, const set<string>* attributes=NULL\r
) const;\r
void resolve(\r
- ResolutionContext& ctx, const saml1::Assertion* token, const vector<const char*>* attributes=NULL\r
+ ResolutionContext& ctx, const saml1::Assertion* token, const set<string>* attributes=NULL\r
) const;\r
void resolve(\r
- ResolutionContext& ctx, const saml2::Assertion* token, const vector<const char*>* attributes=NULL\r
+ ResolutionContext& ctx, const saml2::Assertion* token, const set<string>* attributes=NULL\r
) const;\r
\r
bool m_allowQuery;\r
+\r
private:\r
+ void populateQuery(saml1p::AttributeQuery& query, const string& id) const;\r
+ void populateQuery(saml2p::AttributeQuery& query, const string& id) const;\r
+\r
DOMDocument* m_document;\r
map<string,AttributeDecoder*> m_decoderMap;\r
#ifdef HAVE_GOOD_STL\r
- map< pair<xstring,xstring>,pair<const AttributeDecoder*,string> > m_attrMap;\r
+ typedef map< pair<xstring,xstring>,pair<const AttributeDecoder*,string> > attrmap_t;\r
#else\r
- map< pair<string,string>,pair<const AttributeDecoder*,string> > m_attrMap;\r
+ typedef map< pair<string,string>,pair<const AttributeDecoder*,string> > attrmap_t;\r
#endif\r
+ attrmap_t m_attrMap;\r
};\r
\r
class SimpleResolver : public AttributeResolver, public ReloadableXMLFile\r
return new SimpleContext(application,session);\r
}\r
\r
- void resolveAttributes(ResolutionContext& ctx, const vector<const char*>* attributes=NULL) const;\r
+ void resolveAttributes(ResolutionContext& ctx, const set<string>* attributes=NULL) const;\r
\r
protected:\r
pair<bool,DOMElement*> load();\r
}\r
\r
void SimpleResolverImpl::resolve(\r
- ResolutionContext& ctx, const saml1::Assertion* token, const vector<const char*>* attributes\r
+ ResolutionContext& ctx, const saml1::Assertion* token, const set<string>* attributes\r
) const\r
{\r
- set<string> aset;\r
- if (attributes)\r
- for(vector<const char*>::const_iterator i=attributes->begin(); i!=attributes->end(); ++i)\r
- aset.insert(*i);\r
-\r
vector<shibsp::Attribute*>& resolved = ctx.getResolvedAttributes();\r
\r
auto_ptr_char assertingParty(ctx.getEntityDescriptor() ? ctx.getEntityDescriptor()->getEntityID() : NULL);\r
- const char* relyingParty = ctx.getApplication().getString("providerId").second;\r
+ const char* relyingParty = ctx.getApplication().getString("entityID").second;\r
\r
#ifdef HAVE_GOOD_STL\r
map< pair<xstring,xstring>,pair<const AttributeDecoder*,string> >::const_iterator rule;\r
auto_ptr_char temp(format);\r
if ((rule=m_attrMap.find(make_pair(temp.get(),string()))) != m_attrMap.end()) {\r
#endif\r
- if (aset.empty() || aset.count(rule->second.second)) {\r
+ if (!attributes || attributes->count(rule->second.second)) {\r
resolved.push_back(\r
rule->second.first->decode(\r
rule->second.second.c_str(), ctx.getNameID(), assertingParty.get(), relyingParty\r
auto_ptr_char temp2(format);\r
if ((rule=m_attrMap.find(make_pair(temp1.get(),temp2.get()))) != m_attrMap.end()) {\r
#endif\r
- if (aset.empty() || aset.count(rule->second.second)) {\r
+ if (!attributes || attributes->count(rule->second.second)) {\r
resolved.push_back(\r
rule->second.first->decode(rule->second.second.c_str(), *a, assertingParty.get(), relyingParty)\r
);\r
}\r
\r
void SimpleResolverImpl::resolve(\r
- ResolutionContext& ctx, const saml2::Assertion* token, const vector<const char*>* attributes\r
+ ResolutionContext& ctx, const saml2::Assertion* token, const set<string>* attributes\r
) const\r
{\r
- set<string> aset;\r
- if (attributes)\r
- for(vector<const char*>::const_iterator i=attributes->begin(); i!=attributes->end(); ++i)\r
- aset.insert(*i);\r
-\r
vector<shibsp::Attribute*>& resolved = ctx.getResolvedAttributes();\r
\r
auto_ptr_char assertingParty(ctx.getEntityDescriptor() ? ctx.getEntityDescriptor()->getEntityID() : NULL);\r
- const char* relyingParty = ctx.getApplication().getString("providerId").second;\r
+ const char* relyingParty = ctx.getApplication().getString("entityID").second;\r
\r
#ifdef HAVE_GOOD_STL\r
map< pair<xstring,xstring>,pair<const AttributeDecoder*,string> >::const_iterator rule;\r
auto_ptr_char temp(format);\r
if ((rule=m_attrMap.find(make_pair(temp.get(),string()))) != m_attrMap.end()) {\r
#endif\r
- if (aset.empty() || aset.count(rule->second.second)) {\r
+ if (!attributes || attributes->count(rule->second.second)) {\r
resolved.push_back(\r
rule->second.first->decode(\r
rule->second.second.c_str(), ctx.getNameID(), assertingParty.get(), relyingParty\r
auto_ptr_char temp2(format);\r
if ((rule=m_attrMap.find(make_pair(temp1.get(),temp2.get()))) != m_attrMap.end()) {\r
#endif\r
- if (aset.empty() || aset.count(rule->second.second)) {\r
+ if (!attributes || attributes->count(rule->second.second)) {\r
resolved.push_back(\r
rule->second.first->decode(rule->second.second.c_str(), *a, assertingParty.get(), relyingParty)\r
);\r
}\r
}\r
}\r
+\r
+ const vector<saml2::EncryptedAttribute*>& encattrs = const_cast<const saml2::AttributeStatement*>(*s)->getEncryptedAttributes();\r
+ if (!encattrs.empty()) {\r
+ const XMLCh* recipient = ctx.getApplication().getXMLString("entityID").second;\r
+ CredentialResolver* cr = ctx.getApplication().getCredentialResolver();\r
+ if (!cr) {\r
+ Category::getInstance(SHIBSP_LOGCAT".AttributeResolver").warn(\r
+ "found encrypted attributes, but no CredentialResolver was available"\r
+ );\r
+ return;\r
+ }\r
+\r
+ // We look up credentials based on the peer who did the encrypting.\r
+ CredentialCriteria cc;\r
+ cc.setPeerName(assertingParty.get());\r
+\r
+ Locker credlocker(cr);\r
+ for (vector<saml2::EncryptedAttribute*>::const_iterator ea = encattrs.begin(); ea!=encattrs.end(); ++ea) {\r
+ auto_ptr<XMLObject> decrypted((*ea)->decrypt(*cr, recipient, &cc));\r
+ const saml2::Attribute* decattr = dynamic_cast<const saml2::Attribute*>(decrypted.get());\r
+ name = decattr->getName();\r
+ format = decattr->getNameFormat();\r
+ if (!name || !*name)\r
+ continue;\r
+ if (!format || !*format)\r
+ format = saml2::Attribute::UNSPECIFIED;\r
+ else if (XMLString::equals(format, saml2::Attribute::URI_REFERENCE))\r
+ format = &chNull;\r
+#ifdef HAVE_GOOD_STL\r
+ if ((rule=m_attrMap.find(make_pair(name,format))) != m_attrMap.end()) {\r
+#else\r
+ auto_ptr_char temp1(name);\r
+ auto_ptr_char temp2(format);\r
+ if ((rule=m_attrMap.find(make_pair(temp1.get(),temp2.get()))) != m_attrMap.end()) {\r
+#endif\r
+ if (!attributes || attributes->count(rule->second.second)) {\r
+ resolved.push_back(\r
+ rule->second.first->decode(rule->second.second.c_str(), decattr, assertingParty.get(), relyingParty)\r
+ );\r
+ }\r
+ }\r
+ }\r
+ }\r
}\r
}\r
\r
-void SimpleResolverImpl::query(ResolutionContext& ctx, const NameIdentifier& nameid, const vector<const char*>* attributes) const\r
+void SimpleResolverImpl::query(ResolutionContext& ctx, const NameIdentifier& nameid, const set<string>* attributes) const\r
{\r
#ifdef _DEBUG\r
xmltooling::NDC ndc("query");\r
return;\r
}\r
\r
- SecurityPolicy policy;\r
- shibsp::SOAPClient soaper(ctx.getApplication(),policy);\r
+ shibsp::SecurityPolicy policy(ctx.getApplication());\r
+ MetadataCredentialCriteria mcc(*AA);\r
+ shibsp::SOAPClient soaper(policy);\r
const PropertySet* policySettings = ctx.getApplication().getServiceProvider().getPolicySettings(ctx.getApplication().getString("policyId").second);\r
pair<bool,bool> signedAssertions = policySettings->getBool("signedAssertions");\r
\r
if (!XMLString::equals((*ep)->getBinding(),binding.get()))\r
continue;\r
auto_ptr_char loc((*ep)->getLocation());\r
- auto_ptr_XMLCh issuer(ctx.getApplication().getString("providerId").second);\r
+ auto_ptr_XMLCh issuer(ctx.getApplication().getString("entityID").second);\r
saml1::Subject* subject = saml1::SubjectBuilder::buildSubject();\r
subject->setNameIdentifier(nameid.cloneNameIdentifier());\r
saml1p::AttributeQuery* query = saml1p::AttributeQueryBuilder::buildAttributeQuery();\r
request->setAttributeQuery(query);\r
query->setResource(issuer.get());\r
request->setMinorVersion(version);\r
+ if (attributes) {\r
+ for (set<string>::const_iterator a = attributes->begin(); a!=attributes->end(); ++a)\r
+ populateQuery(*query, *a);\r
+ }\r
+\r
SAML1SOAPClient client(soaper);\r
- client.sendSAML(request, *AA, loc.get());\r
+ client.sendSAML(request, mcc, loc.get());\r
response = client.receiveSAML();\r
}\r
catch (exception& ex) {\r
resolve(ctx, newtoken, attributes);\r
}\r
\r
-void SimpleResolverImpl::query(ResolutionContext& ctx, const NameID& nameid, const vector<const char*>* attributes) const\r
+void SimpleResolverImpl::populateQuery(saml1p::AttributeQuery& query, const string& id) const\r
+{\r
+ for (attrmap_t::const_iterator i = m_attrMap.begin(); i!=m_attrMap.end(); ++i) {\r
+ if (i->second.second == id) {\r
+ AttributeDesignator* a = AttributeDesignatorBuilder::buildAttributeDesignator();\r
+#ifdef HAVE_GOOD_STL\r
+ a->setAttributeName(i->first.first.c_str());\r
+ a->setAttributeNamespace(i->first.second.empty() ? shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI : i->first.second.c_str());\r
+#else\r
+ auto_ptr_XMLCh n(i->first.first.c_str());\r
+ a->setAttributeName(n.get());\r
+ if (i->first.second.empty())\r
+ a->setAttributeNamespace(shibspconstants::SHIB1_ATTRIBUTE_NAMESPACE_URI);\r
+ else {\r
+ auto_ptr_XMLCh ns(i->first.second.c_str());\r
+ a->setAttributeNamespace(ns.get());\r
+ }\r
+#endif\r
+ query.getAttributeDesignators().push_back(a);\r
+ }\r
+ }\r
+}\r
+\r
+void SimpleResolverImpl::query(ResolutionContext& ctx, const NameID& nameid, const set<string>* attributes) const\r
{\r
#ifdef _DEBUG\r
xmltooling::NDC ndc("query");\r
return;\r
}\r
\r
- SecurityPolicy policy;\r
- shibsp::SOAPClient soaper(ctx.getApplication(),policy);\r
+ shibsp::SecurityPolicy policy(ctx.getApplication());\r
+ MetadataCredentialCriteria mcc(*AA);\r
+ shibsp::SOAPClient soaper(policy);\r
const PropertySet* policySettings = ctx.getApplication().getServiceProvider().getPolicySettings(ctx.getApplication().getString("policyId").second);\r
pair<bool,bool> signedAssertions = policySettings->getBool("signedAssertions");\r
\r
if (!XMLString::equals((*ep)->getBinding(),binding.get()))\r
continue;\r
auto_ptr_char loc((*ep)->getLocation());\r
- auto_ptr_XMLCh issuer(ctx.getApplication().getString("providerId").second);\r
+ auto_ptr_XMLCh issuer(ctx.getApplication().getString("entityID").second);\r
saml2::Subject* subject = saml2::SubjectBuilder::buildSubject();\r
subject->setNameID(nameid.cloneNameID());\r
saml2p::AttributeQuery* query = saml2p::AttributeQueryBuilder::buildAttributeQuery();\r
Issuer* iss = IssuerBuilder::buildIssuer();\r
query->setIssuer(iss);\r
iss->setName(issuer.get());\r
+ if (attributes) {\r
+ for (set<string>::const_iterator a = attributes->begin(); a!=attributes->end(); ++a)\r
+ populateQuery(*query, *a);\r
+ }\r
+\r
SAML2SOAPClient client(soaper);\r
- client.sendSAML(query, *AA, loc.get());\r
+ client.sendSAML(query, mcc, loc.get());\r
srt = client.receiveSAML();\r
}\r
catch (exception& ex) {\r
resolve(ctx, newtoken, attributes);\r
}\r
\r
-void SimpleResolver::resolveAttributes(ResolutionContext& ctx, const vector<const char*>* attributes) const\r
+void SimpleResolverImpl::populateQuery(saml2p::AttributeQuery& query, const string& id) const\r
+{\r
+ for (attrmap_t::const_iterator i = m_attrMap.begin(); i!=m_attrMap.end(); ++i) {\r
+ if (i->second.second == id) {\r
+ saml2::Attribute* a = saml2::AttributeBuilder::buildAttribute();\r
+#ifdef HAVE_GOOD_STL\r
+ a->setName(i->first.first.c_str());\r
+ a->setNameFormat(i->first.second.empty() ? saml2::Attribute::URI_REFERENCE : i->first.second.c_str());\r
+#else\r
+ auto_ptr_XMLCh n(i->first.first.c_str());\r
+ a->setName(n.get());\r
+ if (i->first.second.empty())\r
+ a->setNameFormat(saml2::Attribute::URI_REFERENCE);\r
+ else {\r
+ auto_ptr_XMLCh ns(i->first.second.c_str());\r
+ a->setNameFormat(ns.get());\r
+ }\r
+#endif\r
+ query.getAttributes().push_back(a);\r
+ }\r
+ }\r
+}\r
+\r
+void SimpleResolver::resolveAttributes(ResolutionContext& ctx, const set<string>* attributes) const\r
{\r
#ifdef _DEBUG\r
xmltooling::NDC ndc("resolveAttributes");\r